Databases Reference
In-Depth Information
Figure 10.4
Using port
forwarding to
tunnel database
connections over
SSH.
instance installed on a server with an IP address of 192.168.3.33 listening
on the standard port 3306. In this case you can use the following command
to set up the tunnel:
ssh -L 10000:localhost:3306 192.168.3.33 -l mylogin -i ~/.ssh/
id -N -g
This command sets up an SSH tunnel forwarding port 10000 on the
client machine to port 3306 on the database server host, as shown in Figure
10.4. Let's look at the SSH arguments in more details.
The
-L
parameter sets up port forwarding. The argument specifies that
any connection that is attempted to port 10000 on the local machine
should be forwarded to port 3306 on 192.168.3.33. This is where the
magic occurs: both the database client and the database server are oblivious
to the encryption taking place, but the data on the wire will be encrypted
by the SSH tunnel. If you want to connect to the MySQL instance in this
example, you should use
mysql -u<usr> -p<pwd> -h localhost -p
10000
. Connecting to port 10000 on the local host means that you will be
going through the SSH tunnel. If you want to ensure that unencrypted
connections cannot occur (e.g., block someone issuing
mysql -u<usr> -
p<pwd> -h 192.168.3.33 -p 3306
by mistake), you should only grant a
connection from localhost on the server machine (localhost now being the
database server). This will allow connections made over the SSH tunnel
(because from the database server's perspective the connection is coming
from the SSH server terminating the tunnel, as shown in Figure 10.4) but
Search WWH ::
Custom Search